Bug 851860 - selinux policy is preventing libvirt-guests to shutdown or suspend guests
Summary: selinux policy is preventing libvirt-guests to shutdown or suspend guests
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 843836
TreeView+ depends on / blocked
 
Reported: 2012-08-26 15:40 UTC by Gerd v. Egidy
Modified: 2012-09-21 23:59 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-21 23:59:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Gerd v. Egidy 2012-08-26 15:40:49 UTC 
Description of problem:
The systemd service libvirt-guests.service is designed to shut down or suspend running guest vms when the host is shut down. The service was recently fixed to work at all (#843836), but now the selinux policy is preventing it to work. The service does several calls to virsh, which in turn checks and contacts libvirtd. This is then blocked by the selinux targeted policy.

Version-Release number of selected component (if applicable):
# rpm -q libvirt
libvirt-0.9.11.5-3.fc17.x86_64
# rpm -q selinux-policy
selinux-policy-3.10.0-145.fc17.noarch

How reproducible:
always

Steps to Reproduce:
1. virsh start xyz
2. setenforce permissive
3. systemctl stop libvirt-guests.service
4. grep virsh /var/log/audit/audit.log | grep denied

Actual results:
type=AVC msg=audit(1345982037.969:27): avc:  denied  { getattr } for  pid=2922 comm="virsh" path="/usr/sbin/libvirtd" dev="sda2" ino=728072 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virtd_exec_t:s0 tclass=file
type=AVC msg=audit(1345982037.969:28): avc:  denied  { write } for  pid=2922 comm="virsh" name="libvirt-sock" dev="tmpfs" ino=8141 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1345982037.998:29): avc:  denied  { read } for  pid=2933 comm="virsh" name="libvirt.conf" dev="sda2" ino=2314770 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file
type=AVC msg=audit(1345982037.998:29): avc:  denied  { open } for  pid=2933 comm="virsh" path="/etc/libvirt/libvirt.conf" dev="sda2" ino=2314770 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file
type=AVC msg=audit(1345982037.998:30): avc:  denied  { write } for  pid=2933 comm="virsh" name="libvirt-sock" dev="tmpfs" ino=8141 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1345982037.998:30): avc:  denied  { connectto } for  pid=2933 comm="virsh" path="/run/libvirt/libvirt-sock" scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1345982043.188:33): avc:  denied  { getattr } for  pid=3032 comm="virsh" path="/usr/sbin/libvirtd" dev="sda2" ino=728072 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virtd_exec_t:s0 tclass=file

Expected results:
no denied calls

Additional info:

audit2allow suggests the following changes to policy:

allow virsh_t virt_etc_t:file { read open };
allow virsh_t virt_var_run_t:sock_file write;
allow virsh_t virtd_exec_t:file getattr;
allow virsh_t virtd_t:unix_stream_socket connectto;
Comment 1 Miroslav Grepl 2012-08-27 11:41:42 UTC 
Did you try to create a local policy module with this rules?
Comment 2 Gerd v. Egidy 2012-08-27 16:21:54 UTC 
(In reply to comment #1)
> Did you try to create a local policy module with this rules?

yes, then everything works as expected for me.

But I just run qemu/kvm virtualization on my machine. It may be that it still fails with any of the other virtualization backends that libvirt supports. I think the codepaths and syscalls used within virsh to connect to them are different then.
Comment 3 Miroslav Grepl 2012-08-28 08:12:48 UTC 
Fixed in selinux-policy-3.10.0-148.fc17
Comment 4 Kenny Root 2012-08-29 05:53:17 UTC 
I had to add this in order to get everything to work after updating to -148.fc17:

allow virsh_t virtd_exec_t:file getattr;
Comment 5 Gerd v. Egidy 2012-09-01 19:49:40 UTC 
I can confirm Kennys report:

# rpm -q selinux-policy
selinux-policy-3.10.0-148.fc17.noarch

when stopping the libvirt-guests service I get this denied message in the audit log:

type=AVC msg=audit(1346528581.292:51): avc:  denied  { getattr } for  pid=5176 comm="virsh" path="/usr/sbin/libvirtd" dev="sda1" ino=1587265 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:virtd_exec_t:s0 tclass=file

adding this to the policy fixes the problem:

allow virsh_t virtd_exec_t:file getattr;
Comment 6 Miroslav Grepl 2012-09-03 17:53:08 UTC 
Added also a rule for this AVC msg.
Comment 7 Fedora Update System 2012-09-17 12:13:29 UTC 
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
Comment 8 Fedora Update System 2012-09-19 02:55:03 UTC 
Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-09-21 23:59:13 UTC 
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.